RE: Failed to authenticate the user
Hi George, Have you ever heard of Google? It's amazing the stuff you can find on there, and people won't get annoyed with you for asking the list to do your job for you - which comes across as a bit lazy... HUP is straightforward, read http://www.freebsddiary.org/hup.php Everyone has to start somewhere but I'd suggest this list might not be the best place to ask basic Linux questions. There are some other really good places which I find very useful when I started out with this stuff http://www.linuxquestions.org/ is a good one. Mark -Original Message- From: freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org] On Behalf Of George Innocent Sent: 07 August 2012 14:24 To: FreeRadius users mailing list Subject: Re: Failed to authenticate the user And how do i send this signal of change On Tue, Aug 7, 2012 at 4:03 PM, Alan DeKok al...@deployingradius.com wrote: George Innocent wrote: How long does the Radius changes take to synchronize with the NAS; what commands should i use to make effect changes made on the files. You need to take a Unix 101 course. You clearly have no idea what you're doing. If you're editing the users file, then you will need to send the server a HUP signal. So far the NAS authenticates successfully with 5-10 attempts before changes made get to synchronize with the NAS. No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regards: George Innocent. Nuffield College is a Registered Charity No. 1137506. Registered Office: Nuffield College, New Road, Oxford, OX1 1NF - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring Freeradius with LDAP
I think http://wiki.freeradius.org/Rlm_ldap Has what you are after. Mark On 18 Apr 2012, at 18:53, Wassim Zaarour wassim.zaar...@navlink.commailto:wassim.zaar...@navlink.com wrote: Hi List, I have installed freeradius 2.1.12, and it's working well. Now I need to configure it to authenticate with LDAP (Sun Directory Server) but I can't seem to find which file to configure in raddb, I can't find it in radiusd.conf I appreciated any help on this. Wassim C. Zaarour Systems Network Engineer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nuffield College is a Registered Charity No. 1137506. Registered Office: Nuffield College, New Road, Oxford, OX1 1NF - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Distributing Certificates
Your problem is going to be distributing the server cert to the clients NOT distributing client Maybe I've missed something here, but why will he need to distribute a cert to clients? If the certificate you use on your RADIUS server is signed by a known CA-in which case the client should already have the relevant root certificate and so will trust the certificate presented by the server. This is assuming he is using certificates for confirming identity of the server, not for EAP-TLS etc. Cheers, Mark On 6 Jan 2012, at 21:43, Sallee, Stephen (Jake) jake.sal...@umhb.edu wrote: It may be a misunderstanding on my part but I believe any encrypted protocol would need a cert of some sort. PEAP is an encrypted tunnel thus you will need a cert. FR will generate its own certs for testing but for production you should generate your own. We are making the move to 802.1x in the next few months and will be using a self-signed cert on the FR server and deploying it to the users' machines via a third party tool from a company called cloud path. Suffice it to say that windows Vista and beyond MUST have the server cert installed or be configured to ignore server certs before you can use any encrypted protocol (such as, PEAP). It WILL NOT work out-of-the-box! XP would show you a dialogue box with a warning but that functionality is gone in Vista and 7. MAC OS and Linux will still allow you to download the cert and install it on first use, windows will not. Your problem is going to be distributing the server cert to the clients NOT distributing client certs (unless you are using EAP/TLS or the like), as mentioned before AD makes this easy via GPO / login scripts. However if you clients are not part of your domain then you have very few choices. 1) Roll your own program to install the cert for them 2) Buy a solution to install the cert (like cloud path) 3) issue instructions to the clients and have them install the certs manually 4) go around and install all the certs your self There a pros and cons for each. BTW for security reasons you should use a self-signed cert, that being the case you can make the cert valid for 99 years, then revoke it when you have time to redistribute them ; ) Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 -Original Message- From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On Behalf Of McSparin, Joe Sent: Friday, January 06, 2012 3:07 PM To: FreeRadius users mailing list Subject: RE: Distributing Certificates I don't have any particular desire to use certificates thus far in testing mode have been using PEAP and just ignoring the warning that tells me there is a certificate on the server that doesn't match. I assumed in deployment I would have to install certificates so the users wouldn't be confused when they saw that message. I thought that FreeRadius had to have certificates set up even if they were just example ones. Radiusd -X runs bootstrap which creates example certificates automatically. This led me to believe that certificates were somehow integral to 802.1x. Is that not the case? If so how can you take certificates completely out of the equation? Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -Original Message- From: freeradius-users-bounces+jmcsparin=hillcountrymemorial@lists.freeradius.org [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial@lists.freeradius.org] On Behalf Of David Mitton Sent: Friday, January 06, 2012 12:44 PM To: freeradius-users@lists.freeradius.org Subject: RE: Distributing Certificates You can do such things as suggested... but you haven't articulated what your goal is and what you will be using the certificates for? 802.1X doesn't require certificates... but you may want to use them depending on what you are trying to do. Dave. Quoting Danner, Mearl jmdan...@samford.edu: If you are using AD and have a CA set up you can create autoenrollment gpo's for domain attached machines. You can issue either user or computer certs. Can also configure the Windows wireless supplicant via gpo. Mearl From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of McSparin, Joe Sent: Friday, January 06, 2012 10:18 AM To: FreeRadius users mailing list Subject: Distributing Certificates Now that I have my Radius server configured I need to begin implementation I have 600 computers that will be using it. The question I am wondering is do I have to go around and install a certificate on every
RE: Dial up error and freeraius is down
Hi, - Brand width is insufficient from pppoe server to radius server; - Server running radius of capability is insufficient. You don't say what bandwith etc you are on or what spec the server is, but unless it's pretty low end I'd be surprised if that was the issue if you only have 500 users. Cheers, Mark -Original Message- From: freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org] On Behalf Of Robin Sent: 01 April 2011 15:52 To: freeradius-users@lists.freeradius.org Subject: Dial up error and freeraius is down Hi Friends, I met a problem with FreeRADIUS2.1.9 (Mysql+centos, about 500 pppoe users)as below: In general, I found some users couldn't dial to radius and log information as below - Fri Apr 1 19:22:09 2011 : Error: Discarding duplicate request from client mpth12 port 40039 - ID: 129 due to unfinished request 10524 - Fri Apr 1 19:22:10 2011 : Error: Discarding conflicting packet from client mpth12 port 40039 - ID: 129 due to recent request 10524. - I have two guesses: - Brand width is insufficient from pppoe server to radius server; - Server running radius of capability is insufficient. Could you help me? Thank you very much. Robin Nuffield College is a Registered Charity No. 1137506. Registered Office: Nuffield College, New Road, Oxford, OX1 1NF - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging to Microsoft SQL
I'm looking at having freeradius log accounting information to an MS-SQL database on our centralised logging box. Googling returns a lot of pages on this. I had a look in at them but many relate to freeradius 1. Before I go making a lot of work for myself needlessly - could anyone outline what I need to be doing, or point me in the direction of up to date instructions? Many thanks, Mark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP MSCHAPv2 error..
Thanks, Alan - got it fixed now.
On 8 Feb 2011, at 21:15, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote:
Hi,
Entered bob as username, testing123 as password
I get No such realm 'NULL'
So added
-
realm test {
authhost = LOCAL
accthost = LOCAL
}
realm LOCAL {
}
realm NULL {
}
Now I get rejected - the following from the debug output looks relevant
what is your 'users' entry file like for bob?
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for bob@test with NT-Password
[mschap] FAILED: MS-CHAP2-Response is incorrect
have you edited the modules/mschap file?
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
#ntlm_auth = /path/to/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}} --chal
lenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
}
do you fire off
preprocess
suffix
ntdomain
in that order, in the authorize section of inner-tunnel?
I'm doing something silly, no doubt - but what? Should this config just
work out of the box?
it should doI'm sure I've recently (sept last year) got a fresh 2.1.x
server and slapped
SoH patches on and it just worked with Win7 client
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP MSCHAPv2 error..
Tested with PAP and radtest, as per
http://deployingradius.com/documents/configuration/pap.html
All works OK
Now I want to test from a Windows 7 wireless client using PEAP (MSCHAPv2). The
page seems to indicate this should pretty much work with default config.
So:-
I added wireless AP to clients.conf
---
client 163.1.40.141 {
secret = testing
}
Disabled 'Validate server certificate' on the client
Entered bob as username, testing123 as password
I get No such realm 'NULL'
So added
-
realm test {
authhost = LOCAL
accthost = LOCAL
}
To proxy.conf - not sure this is the correct way of resolving a null realm,
though.
And this time entered bob@test as the username, testing123 as password
Now I get rejected - the following from the debug output looks relevant
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for bob@test with NT-Password
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = \010E=691 R=1
EAP-Message = 0x04080004
Message-Authenticator = 0x
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = \010E=691 R=1
EAP-Message = 0x04080004
Message-Authenticator = 0x
[peap] Tunneled authentication was rejected.
[peap] FAILURE
I posted the full debug output at
http://www.nuffield.ox.ac.uk/scratch2/test-peap.log - as I wasn't sure posting
all 900+ lines to this list would be appreciated - or is that OK in future?
The MSCHAP errors are line 901 onwards.
I'm doing something silly, no doubt - but what? Should this config just work
out of the box?
Appreciate any help.
Cheers
Mark
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: PEAP MSCHAPv2 error..
Ah - do I need to be authenticating against something like AD that does MS-CHAP?
I have AD here and that is the eventual goal, but trying to change as little as
possible and keep it simple to begin with...
Mark
-Original Message-
From:
freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org
[mailto:freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org]
On Behalf Of Mark Holmes
Sent: 08 February 2011 12:45
To: FreeRadius users mailing list
Subject: PEAP MSCHAPv2 error..
Tested with PAP and radtest, as per
http://deployingradius.com/documents/configuration/pap.html
All works OK
Now I want to test from a Windows 7 wireless client using PEAP (MSCHAPv2). The
page seems to indicate this should pretty much work with default config.
So:-
I added wireless AP to clients.conf
---
client 163.1.40.141 {
secret = testing
}
Disabled 'Validate server certificate' on the client
Entered bob as username, testing123 as password
I get No such realm 'NULL'
So added
-
realm test {
authhost = LOCAL
accthost = LOCAL
}
To proxy.conf - not sure this is the correct way of resolving a null realm,
though.
And this time entered bob@test as the username, testing123 as password
Now I get rejected - the following from the debug output looks relevant
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for bob@test with NT-Password
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = \010E=691 R=1
EAP-Message = 0x04080004
Message-Authenticator = 0x
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = \010E=691 R=1
EAP-Message = 0x04080004
Message-Authenticator = 0x
[peap] Tunneled authentication was rejected.
[peap] FAILURE
I posted the full debug output at
http://www.nuffield.ox.ac.uk/scratch2/test-peap.log - as I wasn't sure posting
all 900+ lines to this list would be appreciated - or is that OK in future?
The MSCHAP errors are line 901 onwards.
I'm doing something silly, no doubt - but what? Should this config just work
out of the box?
Appreciate any help.
Cheers
Mark
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FAQ and Wiki down?
Works for me also -Original Message- From: freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org] On Behalf Of Marinko Tarlac Sent: 29 October 2010 15:40 To: dcjea...@gmail.com; FreeRadius users mailing list Subject: Re: FAQ and Wiki down? Works fine for me... On 10/29/2010 4:33 PM, David Jea wrote: Hi, For past two days, I can't reach to these 2 tabs: FAQ and Wiki. All the others are good. http://wiki.freeradius.org/index.php/FAQ http://wiki.freeradius.org/ I thought it was my issue, but my internet is good, no proxy, tried with IE and Firefox, it does seem to me that wiki site is down. Thought should report. Thanks, David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Removing domain name in freeradius
Thanks Phil. Final question: At the moment, I can authenticate with username, but not with usern...@mydomain.ox.ac.uk How do I tell freeradius to accept usern...@mydomain.ox.ac.uk (I don't mind if authenticating with just username without the domain fails) Thanks, Mark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with MSCHAP
OK,
Just to recap, I'm working on setting Freeradius up to authenticate users to
our wireless network. We want to use PEAP-MSCHAPv2 and authenticate against
Active Directory. I'm using samba and ntlm_auth.
Versions:freeradius2-2.1.7-7.el5 and samba3.0.33-3.29
Needless to say it's failing.
I set the mydomain.ox.ac.uk realm in proxy.conf as someone on here suggested on
Friday, and that has cleared up the warning about unknown realms.
When connecting, I still get several errors before auth fails.
I've pasted my debug output into the web tool and it picks out the following in
red
security {
max_attributes = 200
reject_delay = 1 (This line in red)
status_server = yes
}
(all in red)
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = /etc/raddb/attrs.access_reject
[pap] WARNING! No known good password found for the user. Authentication may
fail because of this. (In yellow)
I also see (not highlighted) that I'm still getting
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for hol...@mydomain.ox.ac.uk with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
I have configured modules/mschap to use ntlm_auth as follows
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
Am I missing something in the MSCHAP config?
Cheers,
Mark
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with MSCHAP
Alan,
Thanks for your reply.
how are you testing this - a real client, command line tool etc? when you run
it in full
debug mode - and you arent helping yourself by failing to post that here
I'm testing with a real client and access point.
OK - I wasn't sure posting the whole debug would be appreciated, but I have
posted it at
http://www.nuffield.ox.ac.uk/scratch/debug-log-2.txt
you should see the incantation of the ntlm_auth line - if not, then it's not
being called
I can only see two references to ntlm_auth, this:-
Module: Instantiating ntlm_auth
exec ntlm_auth {
wait = yes
program = /usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}
input_pairs = request
shell_escape = yes
}
And another line indicating the ntlm_auth config file is being included:-
including configuration file /etc/raddb/modules/ntlm_auth
Should I also see ntlm_auth being called during the authentication - presumably
I should...
Thanks,
Mark
-Original Message-
From:
freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org
[mailto:freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org]
On Behalf Of Alan Buxey
Sent: 12 October 2010 10:41
To: FreeRadius users mailing list
Subject: Re: Problem with MSCHAP
Hi,
I've pasted my debug output into the web tool and it picks out the following
in red
security {
max_attributes = 200
reject_delay = 1 (This line in red)
status_server = yes
}
(all in red)
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = /etc/raddb/attrs.access_reject
ignore those - the word 'reject' is being flagged without context.
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this. (In yellow)
okay.
I also see (not highlighted) that I'm still getting
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for hol...@mydomain.ox.ac.uk with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
and that will mean that MSCHAPv2 wont be working
I have configured modules/mschap to use ntlm_auth as follows
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
Am I missing something in the MSCHAP config?
how are you testing this - a real client, command line tool etc? when you run
it in full
debug mode - and you arent helping yourself by failing to post that here - you
should
see the incantation of the ntlm_auth line - if not, then its not being
called...and it
would be with the default configuration files.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with MSCHAP
Ah - I think I see the issue - the ntlm auth line in modules/mschap is after
the } so presumably not being read...
-Original Message-
From:
freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org
[mailto:freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org]
On Behalf Of Mark Holmes
Sent: 12 October 2010 11:25
To: FreeRadius users mailing list
Subject: RE: Problem with MSCHAP
Alan,
Thanks for your reply.
how are you testing this - a real client, command line tool etc? when you run
it in full
debug mode - and you arent helping yourself by failing to post that here
I'm testing with a real client and access point.
OK - I wasn't sure posting the whole debug would be appreciated, but I have
posted it at
http://www.nuffield.ox.ac.uk/scratch/debug-log-2.txt
you should see the incantation of the ntlm_auth line - if not, then it's not
being called
I can only see two references to ntlm_auth, this:-
Module: Instantiating ntlm_auth
exec ntlm_auth {
wait = yes
program = /usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}
input_pairs = request
shell_escape = yes
}
And another line indicating the ntlm_auth config file is being included:-
including configuration file /etc/raddb/modules/ntlm_auth
Should I also see ntlm_auth being called during the authentication - presumably
I should...
Thanks,
Mark
-Original Message-
From:
freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org
[mailto:freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org]
On Behalf Of Alan Buxey
Sent: 12 October 2010 10:41
To: FreeRadius users mailing list
Subject: Re: Problem with MSCHAP
Hi,
I've pasted my debug output into the web tool and it picks out the following
in red
security {
max_attributes = 200
reject_delay = 1 (This line in red)
status_server = yes
}
(all in red)
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = /etc/raddb/attrs.access_reject
ignore those - the word 'reject' is being flagged without context.
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this. (In yellow)
okay.
I also see (not highlighted) that I'm still getting
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for hol...@mydomain.ox.ac.uk with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
and that will mean that MSCHAPv2 wont be working
I have configured modules/mschap to use ntlm_auth as follows
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
Am I missing something in the MSCHAP config?
how are you testing this - a real client, command line tool etc? when you run
it in full
debug mode - and you arent helping yourself by failing to post that here - you
should
see the incantation of the ntlm_auth line - if not, then its not being
called...and it
would be with the default configuration files.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MS-CHAP failing?
OK, getting somewhere, but still won't let me connect. I can't see in the
debug output why it fails.
I'm trying to authenticate against AD, using PEAP-MSCHAPv2
I have checked ntlm_auth is working by
ntlm_auth --request-nt-key --domain=MYDOMAIN --username=testuser
--password=password
and I get (NT_STATUS_OK)
my /modules/ntlm_auth looks like this:-
exec ntlm_auth {
wait = yes
program = /path/to/ntlm_auth --request-nt-key
--domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}
}
and modules/mschap looks like this
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{%{mschap:NT-Domain}:-NUFFIELDCOLLEGE}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response$
}
In the debug output I can see this - should authentication realm = LOCAL as
below?
[suffix] Looking up realm mydomain.ox.ac.uk for User-Name =
testu...@mydomain.ox.ac.uk
[suffix] Found realm mydomain.ox.ac.uk
[suffix] Adding Stripped-User-Name = testuser
[suffix] Adding Realm = mydomain.ox.ac.uk
[suffix] Authentication realm is LOCAL.
When I paste the debug into the checker it highlights this:-
[pap] WARNING! No known good password found for the user. Authentication may
fail because of this.
But not sure I need to worry about that as I'm not doing PAP
Can't see anything else in there indicating a problem, but when I try to
connect a device (my iPhone) it just returns a 'cannot connect to' message
What am I missing? No doubt something obvious
Debug output
FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on Mar 31 2010
at 00:25:31
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/default
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
RE: MS-CHAP failing?
Stephen,
Thanks for this.
Actually I messed up - my ntlm_auth looks like this (which I think is correct)
exec ntlm_auth {
wait = yes
program = /usr/bin/ntlm_auth --request-nt-key
--domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}
}
The /path/to/ntlm_auth line is commented out in my config.
Cheers
Mark
-Original Message-
From:
freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org
[mailto:freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org]
On Behalf Of Sallee, Stephen (Jake)
Sent: 12 October 2010 15:03
To: FreeRadius users mailing list
Subject: RE: MS-CHAP failing?
Just checking but you did see the problem I the following line of config
right?
exec ntlm_auth {
wait = yes
program = ***/PATH/TO/NTLM_AUTH *** --request-nt-key
--domain=MYDOMAIN --username=%{mschap:User-Name}
--password=%{User-Password}
}
I understand if you left it out on purpose but this code WILL NOT work
in production ; )
Jake Sallee
Godfather Of Bandwidth
Network Engineer
Fone: 254-295-4658
Phax: 254-295-4221
-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o
rg] On Behalf Of Mark Holmes
Sent: Tuesday, October 12, 2010 8:47 AM
To: FreeRadius users mailing list
Subject: MS-CHAP failing?
OK, getting somewhere, but still won't let me connect. I can't see in
the debug output why it fails.
I'm trying to authenticate against AD, using PEAP-MSCHAPv2
I have checked ntlm_auth is working by
ntlm_auth --request-nt-key --domain=MYDOMAIN --username=testuser
--password=password
and I get (NT_STATUS_OK)
my /modules/ntlm_auth looks like this:-
exec ntlm_auth {
wait = yes
program = /path/to/ntlm_auth --request-nt-key
--domain=MYDOMAIN --username=%{mschap:User-Name}
--password=%{User-Password}
}
and modules/mschap looks like this
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{%{mschap:NT-Domain}:-NUFFIELDCOLLEGE}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response$
}
In the debug output I can see this - should authentication realm = LOCAL
as below?
[suffix] Looking up realm mydomain.ox.ac.uk for User-Name =
testu...@mydomain.ox.ac.uk
[suffix] Found realm mydomain.ox.ac.uk
[suffix] Adding Stripped-User-Name = testuser
[suffix] Adding Realm = mydomain.ox.ac.uk
[suffix] Authentication realm is LOCAL.
When I paste the debug into the checker it highlights this:-
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
But not sure I need to worry about that as I'm not doing PAP
Can't see anything else in there indicating a problem, but when I try to
connect a device (my iPhone) it just returns a 'cannot connect to'
message
What am I missing? No doubt something obvious
Debug output
FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on Mar
31 2010 at 00:25:31
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb
RE: MS-CHAP failing?
Alan,
Well spotted! - yes there was a bit missing from the end of that line in mschap
- response=%(mschap:NT-Response:-00} Twas indeed a cut-and-paste error.
Thanks very much - it now works!
Cheers,
Mark
-Original Message-
From:
freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org
[mailto:freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org]
On Behalf Of Alan Buxey
Sent: 12 October 2010 15:04
To: FreeRadius users mailing list
Subject: Re: MS-CHAP failing?
Hi,
my /modules/ntlm_auth looks like this:-
exec ntlm_auth {
wait = yes
program = /path/to/ntlm_auth --request-nt-key
--domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}
}
I'd hope it doesnt look like that- fix the /path/to bit to give it the proper
details.
and modules/mschap looks like this
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{%{mschap:NT-Domain}:-NUFFIELDCOLLEGE}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response$
}
and that entry looks a little broken too - ending in $ - a cut and paste issue?
Sending Access-Challenge of id 5 to 192.168.30.1 port 1162
EAP-Message =
0x0106004119001403010001011603010030f615a58846d51361b77eab5683e34a0a744f3af094b2c5478a0a1042f89c4f48d3f71abaae4bd259922300d95ae0bfb4
Message-Authenticator = 0x
State = 0xbc7efc4cb978e53c4bf33c60bc849290
Finished request 11.
and waiting and challenging what client are you using? this looks like a
windows client that doesnt have the RADIUS CA installed on it
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Removing domain name in freeradius
Hi all, Currently when users connect to our WLAN they enter their username thus:- firstname.lastn...@mydomain.ox.ac.uk Is there a way I can strip everything after the @ out (ie the domain) - so they are forced to authenticate against the domain I specify. At the moment in my test environment, as long as I DONT specify the domain it works - so I'm looking to strip out the domain name if they DO specify it. Cheers, Mark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with MSCHAP
This is my first post to this list, so first of all, hi!
I'm new to freeradius, I'm working on setting it up to authenticate users to
our wireless network. We want to use PEAP-MSCHAPv2 and authenticate against
Active Directory. I'm using samba and ntlm_auth.
Versions:freeradius2-2.1.7-7.el5 and samba3.0.33-3.29
I have the ntlm_auth part working in as far as I can put DEFAULT Auth-Type =
ntlm_auth in users and then do
radtest user password localhost 0 testing123
and I see the server returns Access-Accept.
I then configure MS-CHAP, removing the DEFAULT Auth-Type from users and editing
modules/mschap as follows
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
and set up a wireless access point up to, add it to clients and have it point
at the radius server
Now when I try to connect I get Access-Reject - I've tried a couple of devices
- an iPhone and a Win XP machine.
Output from radius -X at the bottom of this message. The bit that looks
relevant to me is
++[mschap] returns noop
Which I guess indicates a problem with mschap somewhere
Also
[suffix] Looking up realm mydomain.ox.ac.uk for User-Name =
firstname.lastn...@mydomain.ox.ac.uk
[suffix] No such realm mydomain.ox.ac.uk
However I'm not sure I need to worry about that bit - at the moment this is
just a single, stand alone RADIUS server so I'm not sure I need to worry about
realms or do I?
Not sure where to go from here - are there some basic things I should check? I
haven't included my conf files in this post but happy to do so if required.
Any advice/hints much appreciated as to how I should look to troubleshoot this.
Thanks,
Mark
Output from -X
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.1.10 port 1286, id=39,
length=267
Message-Authenticator = 0x2e5d3be1821aead988b3d37cba9afd08
Service-Type = Framed-User
User-Name = firstname.lastn...@mydomain.ox.ac.uk
Framed-MTU = 1488
State = 0x0f85e60107a2ffd7a9724559c0c7d131
Called-Station-Id = 00-24-73-54-22-C2:Test-WLAN
Calling-Station-Id = 78-E4-00-B2-E2-D5
NAS-Identifier = Wireless AP - I6
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 54Mbps 802.11g
EAP-Message =
0x0227002b1900170301002067b2b3a9663cb4262b845b709b8619eb1d6ae803961cb66e52227722f3d8e496
NAS-IP-Address = 192.168.1.10
NAS-Port = 4
NAS-Port-Id = STA port # 4
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm mydomain.ox.ac.uk for User-Name =
firstname.lastn...@mydomain.ox.ac.uk
[suffix] No such realm mydomain.ox.ac.uk
++[suffix] returns noop
[eap] EAP packet type response id 39 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Had sent TLV failure. User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -
firstname.lastn...@mydomain.ox.ac.uk
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 99 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 99
Sending Access-Reject of id 39 to 192.168.1.10 port 1286
EAP-Message = 0x04270004
Message-Authenticator = 0x
Waking up in 3.7 seconds.
Cleaning up request 90 ID 30 with timestamp +1733
Cleaning up request 91 ID 31 with timestamp +1733
Cleaning up request 92 ID 32 with timestamp +1733
Cleaning up request 93 ID 33 with timestamp +1733
Cleaning up request 94 ID 34 with timestamp +1733
Cleaning up request 95 ID 35 with timestamp +1733
Cleaning up request 96 ID 36 with timestamp +1733
Cleaning up request 97 ID 37 with timestamp +1733
Cleaning up request 98 ID 38 with timestamp +1733
Waking up in 0.9 seconds.
Cleaning up request 99 ID 39 with timestamp +1733
Ready to process requests.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with MSCHAP
All, Many thanks for the replies. Firstly, don't set Auth-Type. It's almost always the wrong thing to do. Sure - I set that just to test the AD auth was working, and removed it again prior to configuring mschap. EAP is a multi-pass protocol; there will be 4-8 requests, and the actual MS-CHAP failure will be somewhere in the middle, after the EAP-PEAP TLS tunnel is established, but before the failure is sent. Ah - doh!. I wasn't sure about posting the whole lot to this list as it runs to quite a few lines so posted it here http://www.nuffield.ox.ac.uk/scratch/logfile.txt Thanks, Mark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with MSCHAP
do you REALLY want to accept what the user puts in as the gospel truth? ie, I wouldnt be comfirtable taking the user-supplied domain for the ntlm_auth - I'd set it manually (if it really was a local user!) Good point. Our existing setup uses IAS, and is configured to expect the domain to be appended. I want to switch to FreeRADIUS without too many changed being required client side - possibly even none if I moved the cert from the IAS box to the FreeRADIUS machine. Cheers, Mark On 8 Oct 2010, at 14:59, Alan Buxey a.l.m.bu...@lboro.ac.ukmailto:a.l.m.bu...@lboro.ac.uk wrote: do you REALLY want to accept what the user puts in as the gospel truth? ie, I wouldnt be comfirtable taking the user-supplied domain for the ntlm_auth - I'd set it manually (if it really was a local user!) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
